Docker Getting Started Tutorial (v) Docker Security "Editor's note" dockone organization translated FLUX7 's Docker starter tutorial, this is the fifth in a series of introductory tutorials, which introduces the security issues of Docker and is still the old adage that beginners can learn quickly by reading this article.
We must attach great importance to the security of open source software, and when developers are using Docker, there is no difference in how they build applications from the local to the production environment (note: The author's implication is that more attention should be paid to Docker's security issues). When Docker is used by more and more platforms, we need to strictly guarantee the security of Docker as a project or platform.
Therefore, we decided to discuss the issues related to Docker security and why they affect the overall security of Docker in the fifth chapter of the Docker series. Because Docker is an extension of LXC, it is also easy to use the security features of LXC.
In the first article in this series, we know
docker runCommands can be used to run containers. What specific work does Docker do after running this command? Specific as follows:
docker runCommand initialization.- Docker runs Lxc-start to execute the Run command.
- Lxc-start creates a set of namespace and control Groups in the container.
For those of you who do not know the concept of namespace and control groups, let me explain to them here: namespace is the first level of isolation, the containers are isolated from each other, A container is a process that cannot be seen running inside other containers (Translator Note: namespace series tutorials can read the series of tutorials on Dockerone). Each container is assigned a separate network stack, so a container cannot access the sockets of another container. In order to support IP communication between containers, you must specify the public IP port of the container.
Control groups is a very important component that has the following features:
- Responsible for resource accounting and limitation.
- Provides CPU, memory, I/O, and network-related metrics.
- Avoid some kind of Dos attack.
- Support for multi-tenant platforms.
Docker Daemon's attack surface, Docker daemon, runs as root, which means there are some issues that require extra care.
Here are some things to keep in mind:
- Docker daemon control should only be granted to authorized users when Docker allows sharing with the guest container directory without restricting its access rights.
- The REST API supports UNIX sockets, thus preventing cross-site-scripting attacks.
- The HTTP interface of the REST API should be used under trusted networks or VPNs.
- When you run Docker separately on the server, you need to isolate it from other services.
Some of the key Docker security features include:
- The container runs as a non-privileged user.
- The Apparmor, SELinux, and grsec solutions are available for additional layers of security.
- You can use the security features of other container systems.
The Docker.io API is used to manage several processes related to authorization and security, and Docker provides rest APIs. The following table lists some of the commands that this API uses to maintain related security features.
In the next article in the Docker Series tutorial we will continue to explore the advanced steps of the Docker commands discussed in the second article earlier.
Docker Getting Started Tutorial (v) Docker security
